1 

Using the Physical Layer for Wireless 
Authentication in Time- Variant Channels 

Liang Xiao, Student Member, IEEE, Larry J. Greenstein, Life Fellow, IEEE, 
Narayan B. Mandayam, Senior Member, IEEE and Wade Trappe, Member, IEEE, 



o 
o 



00 

U 

O 



> 

o 

On 
O 



X 



Abstract — The wireless medium contains domain-specific in- 
formation that can be used to complement and enhance tradi- 
tional security mechanisms. In this paper we propose ways to 
exploit the spatial variability of the radio channel response in a 
rich scattering environment, as is typical of indoor environments. 
Specifically, we describe a physical-layer authentication algorithm 
that utilizes channel probing and hypothesis testing to determine 
whether current and prior communication attempts are made 
by the same transmit terminal. In this way, legitimate users 
can be reliably authenticated and false users can be reliably 
detected. We analyze the ability of a receiver to discriminate 
between transmitters (users) according to their channel frequency 
responses. This work is based on a generalized channel response 
with both spatial and temporal variability, and considers correla- 
tions among the time, frequency and spatial domains. Simulation 
results, using the ray-tracing tool WiSE to generate the time- 
averaged response, verify the efficacy of the approach under 
realistic channel conditions, as well as its capability to work 
under unknown channel variations. 



I. Introduction 

As wireless devices become increasingly pervasive and 
essential, they are becoming both a target for attack and the 
very weapon with which such an attack can be carried out. 
Traditional high-level computer and network security tech- 
niques can, and must, play an important role in combating such 
attacks, but the wireless environment presents both the means 
and the opportunity for new forms of intrusion. The devices 
that comprise a wireless network are low-cost commodity 
items that are easily available to potential intruders and also 
easily modifiable for such intrusion. In particular, wireless 
networks are open to intrusion from the outside without the 
need for a physical connection and, as a result, techniques that 
would provide a high level of security in a wired network have 
proven inadequate in a wireless network, as many motivated 
groups of students have readily demonstrated [l]-[3]. 

Although conventional cryptographic security mechanisms 
are essential to securing wireless networks, these techniques 
do not directly leverage the unique properties of the wireless 
domain to address security threats. The physical properties of 
the wireless medium are a powerful source of domain-specific 
information that can be used to complement and enhance 
traditional security mechanisms. In this paper, we propose 
a cross-layer approach to augment the security of wireless 
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networks for indoor wireless environments. In particular, we 
believe that the nature of the wireless medium can be turned to 
the advantage of the network engineer when trying to secure 
wireless communications. The enabling factor in our approach 
is that, in the rich multipath environment typical of wireless 
scenarios, the response of the medium along any transmit- 
receive path is frequency-selective (or in the time domain, 
dispersive) in a way that is location-specific. This means: 

1) The channel can be specified by a number of complex 
samples either in the frequency domain (a set of complex 
gains at a set of frequencies) or the time domain (a set 
of impulse response samples at a set of time delays). 

2) Such sets of numbers decorrelate from one transmit- 
receive path to another if the paths are separated by the 
order of an RF wavelength or more. 

While using the physical layer to enhance security might 
seem to be a radical paradigm shift for wireless systems, we 
note that this is not the first time that multipath and advanced 
physical layer methods have proven advantageous. Specifi- 
cally, we are encouraged in our belief by two notable parallel 
paradigm shifts in wireless systems: (1) code division multiple 
access (CDMA) systems [4], where the use of Rake processing 
transforms multipath into a diversity-enhancing benefit; and 
(2) multiple-input multiple-output (MIMO) antenna techniques 
[5], which transform scatter-induced Rayleigh fading into a 
capacity-enhancing benefit. 

Note that there have been recent efforts in studying the 
information and secrecy capacity [6]-[8], that can be achieved 
by using the radio channel information. In contrast, this paper 
studies the feasibility of using such radio channel information. 
It does so by explicitly devising hypothesis testing procedures 
to estimate and track the radio channel for authentication 
purposes. 

We begin (Section Hill by reviewing some related work. 
Then (Section [TlTb . we provide an overview of our proposed 
PHY-layer authentication service. We next present a general 
time-variant channel model (Section |IV| ) that we will use 
as the basis for our discussions in this paper. In Section 
[VI we describe a hypothesis testing framework for physical 
layer authentication. In Section [VTJ we present an overview 
of our simulation approach. We present our simulation results 
in Section IVII1 and wrap up the paper in Section IVIIII with 
concluding remarks. 

II. Related Work 

In commodity networks, such as 802.11 networks, it is 
easy for a device to alter its MAC address and claim to be 
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another device by simply issuing an ifconfig command. 
This weakness is a serious threat, and there are numerous 
attacks, ranging from session hijacking [9] to attacks on 
access control lists [2], which are facilitated by the fact that 
an adversarial device may masquerade as another device. 
In response, researchers have proposed using physical layer 
information to enhance wireless security. For example, spectral 
analysis has been used to identify the type of wireless network 
interface card (NIC), and thus to discriminate among users 
with different NICs [10]. A similar method, radio frequency 
fingerprinting, discriminates wireless devices according to the 
transient behavior of their transmitted signals [11]. For more 
general networks, the clock skew characteristic of devices 
has been viewed as a remote fingerprint of devices over 
the Internet [12]. In addition, the inherent variability in the 
construction of various digital devices has been used to detect 
intrusion [13]. 

More recently, the wireless channel has been explored as a 
new form of fingerprint for wireless security. The reciprocity 
and rich multipath of the ultrawideband channel has been used 
as a means to establish encryption keys [6]. In [14], a practical 
scheme to discriminate between transmitters was proposed and 
identifies mobile devices by tracking measurements of signal 
strength from multiple access points. A similar approach was 
considered for sensor networks in [15]. Concurrent to these 
efforts, the present authors have built a significance test that 
exploits the spatial variability of propagation to enhance the 
authentication in the stationary, time-invariant channel [16]. In 
this paper, we have significantly expanded the method to cover 
a more generalized channel, where there are time variations 
due to changes in the environment. As in [16], however, the 
ends of the link remain stationary, as might be the case for a 
population of users sitting in a room or airport terminal. We 
will see that, in some cases, the time variations improve the 
authentication. 

III. Problem Overview 

Authentication is traditionally associated with the assurance 
that a communication comes from a specific entity [17]. In 
the context of physical layer authentication, however, we are 
not interested in identity, per se, but rather are interested in 
recognizing a particular transmitting device. The ability to 
distinguish between different transmitters would not replace 
traditional identity-based authentication, but would be partic- 
ularly valuable as a wireless system enhancement. Such an 
approach would be beneficial for scenarios where managing 
cryptographic key material is difficult, and further would 
reduce the load placed on higher-layer authentication buffers. 

Here, we borrow from the conventional terminology of 
the security community by introducing three different parties: 
Alice, Bob and Eve. For our purposes, these three entities 
may be thought of as wireless transmitters/receivers that are 
potentially located in spatially separated positions, as depicted 
in Fig. Q] Our two "legal" protagonists are the usual Alice 
and Bob, and for the sake of discussion throughout this paper, 
Alice will serve as the transmitter that initiates communication, 
while Bob will serve as the intended receiver. Their nefarious 




Fig. 1. The adversarial multipath environment involving multiple scattering 
surfaces. The transmission from Alice (A) to Bob (B) experiences different 
multipath effects than the transmission by the adversary, Eve (E). 



adversary, Eve, will serve as an active adversary that injects 
undesirable communications into the medium in the hopes of 
spoofing Alice. 

Our security objective, broadly speaking, is to provide 
authentication between Alice and Bob, despite the presence 
of Eve. Since Eve is within range of Alice and Bob, and 
capable of injecting her own signals into the environment to 
impersonate Alice, Bob must have the ability to differentiate 
between legitimate signals from Alice and illegitimate signals 
from Eve. 

Consider a simple transmitter identification protocol in 
which Bob seeks to verify that Alice is the transmitter. Suppose 
that Alice transmits probes into the channel at a rate sufficient 
to assure temporal coherence between channel estimates and 
that, prior to Eve's arrival, Bob has estimated the Alice-Bob 
channel. Eve wishes to convince Bob that she is Alice. Bob 
will require that each information-carrying transmission be 
accompanied by an authenticator signal. The channel response 
to a transmitted signal between Alice and Bob is a result of the 
multipath environment. Bob may use the received version of 
the authenticator signal to estimate the channel response and 
compare this with a previous record for the Alice-Bob channel. 
If the two channel estimates are "close" to each other, then 
Bob will conclude that the source of the message is the same 
as the source of the previously sent message. If the channel 
estimates are not similar, then Bob should conclude that the 
source is likely not Alice. 

There are several important issues related to such a pro- 
cedure that should be addressed before it can be a viable 
authentication mechanism. First is the specification of the 
authenticator signal that is used to probe the channel. There are 
many standardized techniques to probe the channel, ranging 
from pulse-style probing (including PN sequences) to multi- 
tonal probing [18], and we may use these techniques to 
estimate the channel response. Regardless of what probing 
method is employed, the channel response can be characterized 
in the frequency domain, and throughout this paper we will 
represent our channels in that domain. 

A second issue is that in a richly scattered multipath 
environment (typical of indoor wireless environments), it is 
difficult for an adversary to create or precisely model a wave- 
form that is transmitted and received by entities that are more 
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than a wavelength away from the adversary. This assertion is 
supported by the well-known Jakes uniform scattering model 
[19], which states that the received signal rapidly decorrelates 
over a distance of roughly half a wavelength, and that spatial 
separation of one to two wavelengths is sufficient for assuming 
independent fading paths. The implication of such a scattering 
model in a transmitter identification application remains to be 
tested, and a key objective of this study is to examine the utility 
of a typical indoor multipath environment for discriminating 
between Alice-Bob and Eve-Bob channels. 

Finally, it should also be noted that the channel response 
may change with time due to changes in the environment (peo- 
ple moving, doors opening or closing) and in practice it will 
be necessary to guarantee the continuity of the authentication 
procedure by probing the channel at time intervals less than the 
channel's "coherence time". This paper examines the ability to 
authenticate transmitters in such a time-variant environment, 
and serves to illustrate the potential for new forms of physical 
layer security. 

IV. Channel Model 

A. Basic Form 

We assume that Bob first measures and stores the frequency 
response of the channel connecting Alice with him. Due to 
his receiver thermal noise, Bob stores a noisy version of 
the channel response, H A (f). After awhile, he has to decide 
whether a transmitting terminal is still Alice, based on a noisy 
measured version, H t (f), of that terminal's channel response 
to Bob. By sampling H A (f) ™d H t (f) at / e (/„-W/2, /„+ 
W/2], Bob obtains two frequency response vectors, and 
H t , of length M, where W is the measurement bandwidth; f a 
is the center frequency of the measurement; and the vector 
elements are frequency response samples at M uniformly 
spaced frequencies over the measurement bandwidth. 

We consider a generalized time-variant channel response, 
where each frequency response sample is made up of three 
parts: the fixed part that is the average channel response 
over time and contains the spatial variability information, the 
variable part with zero mean, and the receiver noise. Thus the 
m-th element of at time kT from some arbitrary time 
origin can be written as 

H A>m [k] = H A , m + e A . m [k] + N AtTn [k] , 1 < m < M, 

(1) 

where we use the notation that AT m [fc] is the sample from 
X(t;f) at the m-th tone at a sampling time of kT. More 
specifically, X m [k] = X(kT;f - W/2 + mAf), m = 
1, ■ • • , M, where Af = W/M; M is the sample size in the 
frequency domain; and T is the sampling interval. The term 
H A . rn is the average value of the m-th tone over time, £A.m[fc] 
is the zero-mean variable part at time kT, and N A , m [k] 
represents thermal noise sample at the m-th tone at time 
kT. The noises are modelled by CN(0,a%), i.e., zero-mean 
complex Gaussian samples with variance a 2 ^. Without loss 
of realism, we can assume that they are independent across 
time, tone (frequency) and terminal (space), and that e A m [k] 
is independent of N Ayjn [k}. 



B. Delay Profile and Doppler Spectrum (Temporal Fading) of 
the Variable Part 

We model the variable part of the channel response as wide- 
sense stationary uncorrelated scattering (WSSUS), and can 
thus use a multipath tapped delay line to model its impulse 
response, h(t,r) [20]: 

oo 

h{t,T) = J2Mt)S(t-l&T), (2) 

;=o 

where t is the observation time, and I At and Ai(t) are, 
respectively, the delay and complex amplitude of the l-\h 
multipath component, with E[Ai(t)] = over time. We set 
At = 1/W, since the receiver cannot resolve two components 
with time difference smaller than the inverse of the bandwidth. 

The frequency response of the variable part is the Fourier 
transform of hit; r) in terms of r, 

£A,m[k] — T{h{t; T)}\ t= kTJ=f -W/2+mAf 
oo 

= J2Mk}e- j2<f °- W/2+mAf)lA , (3) 

1=0 

where Ai[k] = Ai(kT) is the amplitude sample of the 
multipath component at time kT. 

For illustrative purposes, we use the one-sided exponential 
distribution to model the power delay spectrum of A;[fcJ3, i.e., 

P r [l] = Vzi[Ai[k}} = 4(1 - e-^e-^ 1 , (4) 

where 7 = 2ttB c is the inverse of the average delay spread, 
B c is the coherence bandwidth of the variable part, and a\ is 
the average power of A[[k] over all taps. 

Also for illustrative purposes, we use an autoregressive 
model of order 1 (AR-1) to characterize the temporal process 
of Ai[k], i.e., 

Ai [k] = aAi [k - 1] + V '(1 - a 2 )P T [l}ui [k] , (5) 

where the AR coefficient a denotes the similarity of two 
Ai values spaced by T and the random component ui[k] ~ 
CN(0, 1) is independent of Ai[k - 1]. 

C. Spatial Correlations 

As pointed out in Section U in a typically rich scattering 
environment, the radio channel response decorrelates quite 
rapidly in space. Later, we will cite the use of the ray-tracing 
software WiSE to emulate the spatial correlation characteris- 
tics of the fixed part of the channel response (H ). As to the 
variable part, however, we consider the two extreme cases: 
1) Spatially independent and identically distributed e. The 
frequency response sample of the channel between Eve and 
Bob can be written as 

H E , m [k] = H E \k]+N Etm [k} : (6) 

'The literature abounds with empirical data [21] and theoretical examples 
[22] in which the exponential delay profile appears. We invoke it here for the 
sake of concreteness, which will allow us to compute numerical results, but 
we also recognize it to be a realistic condition. 



4 



where 1 < m < M, He,™ = E[HE, m [k]] is the time 
average; thermal noise NE, m [k} ~ CN(Q, a%); and eE, m [k] 
and eA,m[k] are independent identically distributed (i.i.d.). 
2) Complete spatially correlated variation (eE.m[k] = 
£A,m[k])- Here, we have 



H E , m [k] = H E ,m + <U,m [k] + N E , m [k], 1 < to < M. 



(7) 



D. Important Relationships 

Two important relationships we will use in the hypothesis 
testing later are as follows (proofs are provided in the Ap- 
pendix): 

Relationship 1: 



H A [k] -K A [k- 1] ~ C/V(0,R), 



where 



R = Cov[H j4 [fc] -H A [fc- 1]] 

= [r(m - n)] m „, 1 < m, n < M, 

r(0) = 2(1 - a)c4 + 2cr^, and 



B c and cry. (We will discuss other cases in the later parts of 
this section.) We choose the test statistic in this default setting 

as 

Z = z H z = 2(K t [k] - H A [k - lD^R-^H^] - K A [k - 1]), 

(15) 

where z =v / 2(R a ? ) _1 (H t [/c] -¥L A [k- 1]), R and R d are the 
co variance matrix of [k] — H A [k — 1], (0, and its Cholesky 
factorization (i.e., R=R^ Rd). 

It can be shown that, when the transmitting terminal is Al- 
ice, each element of z is i.i.d., following a normal distribution, 
z = \ / 2(Rfy 1 (H A [k] -H A [k — 1]), where the elements are 
i.i.d., and z, ~ CN(0, 2), 1 < i < M. Thus the test statistic Z 
is a chi-square random variable with 2M degrees of freedom 
[23], i.e., Z = z H z - xw- 

We define the rejection region for Ho as Z > T. Thus, the 
"false alarm rate" (or Type I error) is a = P r {Z > T\Hq} = 
1 — Ey2 (T); and the "miss rate" (or Type II error) is given 
by (116k where Fx( ) is the CDF of the random variable X 
and F^ f 1 (-) is the inverse function of Fx()- For a specified a, 
(9) the threshold of the test is T = F~ 2 (1 — a), and the miss 
rate can be obtained by numerical methods. 



(8) 



r(m) 



24(l- ffl )(l-e- 2 ^/ ff ) 

J _ e -2TrB c /W-j2nm/M ' 



1 - M < m < M - 1. 

(10) 



Relationship 2: For the case with spatially independent time 
variation, 



H E [k] -Ha[* - 1] ~ CJV((H B - H A ), G), (11) 



where 



G = Cov[H E [fc] -EU[&- 1]] 

T T" ^CTjy 1 _ a 



Hi) 

1-a 

r(A/-l) 
1-a 



2(7^ + 2(7^ 



r(M-2) 
1-a 



r(l-Af) 
1-a 

r(2-A/) 
1-a 



2(7y + 2(T^r 



(12) 



V. Hypothesis Testing 



Here, we present formulas for hypothesis testing that will 
be reduced later to numerical results. 

A. General Case 

As in [16], Bob uses a simple hypothesis test to decide if 
the transmitting terminal is Alice or a would-be intruder, Eve. 
The null hypothesis, Ho, is that the terminal is not an intruder, 
i.e. the claimant is Alice; and Bob accepts this hypothesis if 
the test statistic he computes, Z, is below some threshold, T. 
Otherwise, he accepts the alternative hypothesis, Hi, that the 
claimant terminal is someone else. Thus, 



Ho: H t [k]=H A [k] 
Hi: H t [k]?H A [k], 



(13) 
(14) 



First, we assume spatially independent time variations and 
assume Bob knows the key channel variation parameters a, 



B. Asymptotic Results for Low Correlation Bandwidth 

When the variation is independent over tones (i.e., 
B c /W <C 1), the covariance matrices of Eq. (0 and (fT2] i 
become 

R = Cov[H A [fc] - H A [fc - 1]] = (2(1 - a)al + 2a 2 N )I 
G = Cov[H £ [fc] - H A [k - 1]] = (24 + 2a%)I, (17) 

where I is the identity matrix. Thus the test statistic Eq. (fT~5T > 
becomes 



where 



|H t [fc]-H A [fc-l]| 2 _ 
(1 - a)a\ + a% 

(1 - a)a\ + a 2 N 



P = 



(18) 



(19) 



'JV 



It is easy to see that, under H\, the test statistic is a 
non-central chi-square distribution with order 2M, i.e., Z2 ~ 
X2M u, w i trl non-central parameter 



J2m=l \ H E,rn - H A . 

0-% + <y\ 



(20) 



'T ~ u N 

Thus, the miss rate for specified a, ( fT6] l, can be written as 
& - P r {Z < T\Hi} = F x , {p¥-J (1-a)). (21) 

C. Asymptotic Results for High Correlation Bandwidth 

When the variation is totally correlated over tones (i.e., 
B c /W 3> 1), the covariance matrices of (0 and ( fl2] i degrade 
to 



R = 2ajfl + 2(1 - a)a^l 
G = 2a%I + 2cr§,l, 



(22) 
(23) 



where 1 is a M x M matrix with each element equals to 1. 
Again, we can use Eq. ( fl6l ) to numerically calculate the miss 
rate (3 for specified false alarm rate a. 
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(3 = P r {Z < T\Hi] = P r {2(H E [k} - H A [k - l^R-^HE.tik] -H A [k - 1]) < F, 1 (1 - a)}, 



(16) 



D. Unknown Parameters 

When Bob does not know the parameters a, B c and ut, it 
is reasonable for him to use as the test statistic 



0.2 m 



z = \\n t [k]-n A [k-\] 



(24) 



In this case, we can obtain numerical results for the false alarm 
rate and miss rate for specified threshold 7~, plotting (3 vs. a 
with T as an implicit parameter. 

E. Full Spatial Correlation 

Now we consider the other extreme case of spatial corre- 
lation, namely, CE, m [k] = £ A , m [k] (full spatial correlation). 
The spatial correlation has no impact under the hypothesis 
TCq. However, under the hypothesis Hi, the correlation matrix 
of the difference between two measurements becomes R, and 
H B [k] - H A [k - 1] ~ CN((H E - H A ),R). Thus, the test 
statistic under Hi is non-central chi-square distributed, Z = 
|x/2(Rf)-HH B [fc]-H A [fc-l] 

parameter p<, = |\/2(R?) _1 ( H i5 
rate for the fully spatially correlated temporal variation can be 
written as 



~ X2AI fi ' w i tn non-central 
H^)| 2 . Therefore, the miss 







F v 2 (F" 2 J 

X2Af,f, V X2 



(1-a)). 



(25) 



F. Discussion: Impact of Time Variations 

As a benchmark, from (fJTJ we have the miss rate for the 
time-invariant channel as [16], 



/5 = F^ M (Fi (1-a)), 

^2M,fj, A.2M 



(26) 



where p = £ m=1 \H E , m ~ H A<m \ 2 /a 2 N . 

In the presence of time variation, however, the miss rate 
may become smaller. The asymptotic miss rate for the time- 
variant channel at high bandwidth, ( |2T1 >. increases with p, ( fl9l >, 
and decreases with p, d20l >. As the time variation o\ rises 
from to 00, p decreases from 1 to 1 — a and p falls from 
E m= i \HE.m - H A>m \ 2 /a-% to 0, which may results in a 
smaller miss rate. 

Actually, the temporal-variation has a two-fold impact: 1) 
It adds uncertainty to the channel from Alice, and thus Bob 
has to increase the test threshold to accept Alice (negative 
impact on the performance); 2) the variation is usually strongly 
correlated in time while very weakly correlated in space, and 
thus e A [k] — e A [k — 1] < e E [k] — e A [k — 1] (positive impact 
on performance). 

When ot is negligible, the channel can be viewed ap- 
proximately as a time-invariant one, wherein the miss rate 
is given by (1261 ). As cry rises, the miss rate falls since the 
positive impact dominates. If the variation continues to rise and 
becomes very large, the miss rate begins to rise, as the need 
to raise the threshold helps Eve and counteracts the positive 
impact. When cry becomes so large that both the fixed part 
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Fig. 2. System topology assumed in the simulations. Bob is located at 2-m 
height near the center of a 120 m X 14 m X 4 m office building. Alice and 
Eve are located on dense grids at a height of 2 m. The sizes of the grids are 
N s = 150, 713, 315, and 348, respectively, for Room # 1, 2, 3 and 4. 



of the channel response and the thermal noise are relatively 



H A , m \ 2 ), 



(27) 



negligible (i.e., <j\ > a 2 N , a\ > Em=i \ H ® 
then using d2TT > we can rewrite the miss rate as 

(3 « ¥ xl ((1 - a)F J (1-a)), 

which is a function of the time-correlation of the temporal 
variation parameter (a), frequency sample size (M), and the 
false alarm rate (a). If the variation is strongly correlated in 
time (a w 1), the miss rate can be less than that for the noise- 
dominated case, ( 126*1 ). where the thermal noise is usually not 
negligible due to the limited transmit power. An illustration of 
this trend will be given later. 

Finally, we consider the impact of the spatial correlation of 
time variations. The miss rate with total spatial correlation, 
(l25l l. decreases with p in a manner that is proportional to the 
inverse of R, (O, and thus rises with <jy. Since a strong spatial 
correlation of the time variation damages the spatial variability 
character of the channel, which is the basis of our scheme, it 
will degrade the system performance. 

VI. Simulation Methodology 
A. Simulating the Transfer Functions 

In order to test the proposed scheme, it is necessary to model 
not only "typical" channel responses, but the spatial variability 
of these responses. Only in this way can we discern the success 
in detecting would-be intruders like Eve. To that end, we make 
use of the WiSE Tool, a ray-tracing software package devel- 
oped by Bell Laboratories [24]. One input to WiSE is the 3- 
dimensional plan of a specific building, including walls, floors, 
ceilings and their material properties. With this information, 
WiSE can predict the rays at any receiver from any transmitter, 
including their amplitudes, phases and delays. From this, it 
is straightforward to construct the transmit-receive frequency 
response over any specified frequency interval (bandwidth). 

We have done this for one particular office building (the 
Alcatel-Lucent Crawford Hill Laboratory in Holmdel, NJ), for 
which a top view of the first floor is shown in Fig. [2] This 
floor of this building is 120 meters long, 14 meters wide and 
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4 meters high. For our numerical experiment, we placed Bob 
in the hallway (the filled-in circle) at a height of 3 m. For 
the positions of Alice and Eve, we considered four rooms 
at the extremities of the building (shown shaded). For each 
room, we assumed Alice and Eve both transmitted from a 
height of 2 m, each of them being anywhere on a uniform 
horizontal grid of points with 0.2-meter separations. With N s 
grid points in a room, there were N S (N S — l)/2 possible pairs 
of Alice-Eve positions. For Rooms 1, 2, 3 and 4, the numbers 
of grid points were N s = 150, 713, 315 and 348, respectively. 
For each Alice-Eve pair, (1) WiSE was used to generate the 
Alice-Bob and Eve-Bob average channel responses 
and H _e(/)); and (2) the hypothesis test described above was 
used to compute (3 for a specified a. The set of all /3-values in a 
room were used to compute a room-specific mean, (3, for each 
of several selected combinations of bandwidth (W), number 
of frequency-domain samples (M), transmit power (Pt), and 
channel variation models. 
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Fig. 3. The average miss rate as function of the relative standard deviation 
of the time variation, for the channel with spatially independent temporal 
variation. M = 10, W = 10 MHz, a = 0.9 and B c = 0. 



B. Transmit Power, Receiver Noise, and Time Variation 
Strength 

Assume that, in conjunction with WiSE, we obtain the var- 
ious transfer functions as dimensionless ratios (e.g., received 
^-field/transmitted E'-field). Then the proper treatment of the 
noise variance, a 2 N , in the hypothesis test is to define it as the 
receiver noise power per tone, Pjy, divided by the transmit 
power per tone, Pt /M, where Pt is the total transmit power. 
Noting that Pm = nTNpb, where kT is the thermal noise 
density in mW/Hz, Np is the receiver noise figure, and b is 
the measurement noise bandwidth per tone in Hz [18], we can 
write 



nTNpb M 



'N 



P T /M 



r ' 



(28) 



where Pt is in mW, and Y — Pt/Pn- We will henceforth 
refer to Y by its decibel value. 

Let b T denote the ratio between a T and the value of \H\ 2 
averaged over the M frequency samples (or "tones") and the 
N s receiver locations. We can thus write the standard deviation 
of the time variation as 



<jt = bTH = bT 



\ 



1 



M N 3 



MN. 



(29) 



m=l 1=1 



where H can be regarded as a room parameter, and &t 
represents the relative magnitude of the time variation in a 
given room. 

VII. Numerical Results 

In our simulations, we set fo — 5 GHz, Np — 10 (10 
dB noise figure), kT = 10~ 17 - 4 mW/Hz, b = 0.25 MHz, 
a = 0.9, and, unless specified otherwise, a = 0.01 [25]. As 
noted earlier, we place Alice and Eve on dense grids in each 
of four rooms at the corners of a particular building, with Bob 
in the hallway, Fig. [2] We obtained a miss rate for each Alice- 
Eve pair in each room, and then calculated the average mean 
value for each room in the building. Among them, Room # 4, 



as the farthest room from Bob, is likely to have the poorest 
performance in rejecting Eve. In that sense, it lower-bounds 
the capabilities of our PHY-layer authentication algorithm. For 
reasons of space, we will only present results for Room # 4, 
keeping in mind that they are essentially worst-case or close 
to it. 

Figure [3] confirms the efficacy of the algorithm in the 
presence of channel time variations. We assume realistic 
system parameter values (Pt = 1 mW ~ 1 W, M = 10 
and W = 10 MHz), and find that most average miss rates are 
smaller than 0.01. The per tone signal-to-noise ratio (SNR) in 
the channel measurements ranges from -12.8 dB to 14.2 dB, 
with a media value of 6.4 dB, if using Pt = 10 mW, M = 10 
and W = 10 MHz. Also, as pointed out in Section [VJ our 
proposed algorithm can exploit the time variations to improve 
performance. For example, the miss rate falls from around 
0.01 to 10~ 5 when b T rises from 0.01 to 1, with P T = 100 
mW. The trend of these curves with time variation confirms the 
discussion in Section IV-Fl e.g., the minimum average miss rate 
is a tradeoff between the positive impact of the time variation 
and its negative impact resulting from the rise of the threshold. 
Moreover, the miss rate falls with the transmit power Pt, 
as expected, since it reduces the measurement noise at the 
receiver. 

Figure 0] demonstrates the impact of the bandwidth W and 
the coherence bandwidth B c . We note that the results for B c = 
and B c = oo are the lower and upper bounds, respectively, 
of the miss rates, as well as the asymptotic results for the 
high- and low-bandwidth regions. It is clear that frequency 
correlations degrade performance. A related finding is that the 
miss rate decreases with increasing bandwidth, W, since the 
frequency response samples are more independent with larger 
W. 

Figure [5] indicates that there is little benefit (or even a 
deficit) in increasing M beyond ~ 10, unless the frequency 
correlation is very small (e.g., B c = 0) with high transmit 
power. Actually, the optimal sample size M in terms of 
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Fig. 4. The average miss rate as a function of the measurement bandwith 
W, for the channel with spatially independent temporal variation. M = 5, 
a = 0.9, b T = 0.5, and P T = 10 mW. 



Fig. 6. Average miss rate vs. average false alarm rate when Bob does 
not know the channel parameters, for the channel with spatially independent 
temporal variation. W = 50 MHz, M = 10, a = 0.9, and B c = 2 MHz. 




Fig. 5. The average miss rate as a function of the number of frequency Fig. 7. Average miss rate vs. M, for the channel with totally spatially 
samples, for the channel with spatially independent temporal variation. W = correlated temporal variation. W = 100 MHz, B c = 2 MHz, P T = 0.5 W, 
10 MHz, a = 0.9, b T = 0.5, and P T = 10 mW. and a = 0.9. 



miss rate for specified measurement bandwidth decreases with 
the coherence bandwidth B c , because the noise power (l28T > 
rises with M and the frequency-response samples are more 
correlated with larger B c . 

We see in Fig. [6] that the algorithm works even when Bob 
does not know the key channel parameters, although it requires 
either more transmit power or greater tolerance for Type II 
errors. Interestingly, the time-variation may still help here, e.g., 
the miss rate falls as bx rises from 0.1 to 1. How to set the 
test threshold T in this case is an open topic. 

Finally, Fig. [7] shows that the system is very sensitive to the 
time-variation in an extreme case of full spatial correlation. It 
requires much more transmit power (Pt ~ 0.5W) to reach the 
same miss rate performance. The reason is quite simple: the 
mechanism of our scheme is to utilize the spatial variability 
of the channel responses. The spatial correlation of the time 
variation decreases the overall spatial variability and thus 
degrades the performance. 



The above assertions apply as well to the other shaded 
rooms in Fig. [2] and, we can safely assume, to the other rooms 
in the building. 

VIII. Conclusion 

We have described and studied a physical layer technique 
for enhancing authentication in a time-variant wireless en- 
vironment. Specifically, we assume the user terminals are 
stationary but changes in the environment produce additive 
time-varying changes in the channel responses. The technique 
uses channel frequency response measurements and hypothesis 
testing to discriminate between a legitimate user (Alice) and 
a would-be intruder (Eve). With the ability to utilize the 
temporal-variation, it works even when the receiver does 
not know the key channel variation parameters, namely, the 
AR temporal coefficient a, the coherence bandwidth B c and 
the standard deviation of the variation <tt, although these 
parameters help reduce the miss rate if known. 



x 



The algorithm has been verified in a typical in-building 
environments, where we used the ray-tracing tool WiSE 
to generate realistic average channel responses and used a 
multipath tapped delay line channel model for the temporal 
variation part of the channel response. Simulation results have 
confirmed the efficacy of the algorithm for realistic values of 
the measurement bandwidth (e.g., W ~ 10 MHz), number of 
response samples (e.g., M < 10) and transmit power (e.g., 
Pt > 10 mW). The miss rate is generally smaller than 0.01, 
for a specified false alarm rate of 0.01, in the presence of 
moderate channel time variations. 

We have found that the channel time variations can improve 
the performance, e.g., the miss rate falls from around 0.01 to 
10 -5 when the variation index rises from 0.01 to 1, with 
Pt = 100 mW. In addition, the miss rate decreases with the 
transmit power of the probing signal and the measurement 
bandwidth, and usually requires frequency samples of fewer 
than 10. We have also shown that the time correlation of the 
channel variation is helpful, while coherence in the frequency 
and spatial domains are harmful. 

Research is currently in progress to address the case of user 
terminal mobility. Effort is also needed, for the stationary case, 
to explore the parameter space (e.g., the temporal coherence 
term a); devise means of setting the test threshold T; consider 
other buildings; and conduct experiments to more accurately 
characterize the time- variation properties of indoor channels. 
Moreover, we are working to integrate physical layer au- 
thentication into a holistic cross-layer framework for wireless 
security that will augment traditional "higher-layer" network 
security mechanisms with physical layer methods. 

Appendix I 
Proof of Relationship 1 

Since A t [k] ~ CN(0, P T [l\), from Eq. © and ©, we have 

OO 

E[e A , m [k]] =J2 E l A Me- j2 ^ f °- W/2+mAf)lA ] = (30) 

1=0 

and 

oc 

Var[ eAro [fc]] = Y, V ^Mk}e^ 27T{f °~ W/2+mAf}lA ] 



£Var[A ; [fc]] 

1=0 

oo 

^4(l_ e -7Ar )e - 7 Ar/ =(J 2 (31) 



1=0 



Here we also utilize the fact that any two different multipath 
components in a WSSUS channel are uncorrelated, i.e., VZi ^ 

l 2 , Wki,k 2 , 



E[A h [k 1 ]A l2 [k 2 ]}=0 



(32) 



Considering that Ai[k — 1] and ui[k] are both zero-mean 
and independent to each other, we see from Eq. (O and (O 
that 

E[Ai [k\]Ai[k2]\ = al fel - fe2 IVar[A i [min(fc 1 ,fc 2 )]] 

= a |fel - fe2l 4(l-e- 7AT )e- 7Ar (33) 



Then from ©, d32l ). and d33T >. we have 

E[eA, m [ki}eA,n[ki]*] 

OO OO 

l 1= 0l 2 =0 

, -j2w[(f -W/2+mAf)h-(f -W/2+nAf)l 2 ]/W 



Y^ElA^AiM^ 



(n-m)Afl/W 



1=0 



*=i-feL2, 



'a T (l-e )e 

1=0 

_ q|fcl-fc2l CT 2( 1 _ e - 7 AT- ) 
— ^ — p -7AT+j27r(n-m)A/iAr 

By CQ), (ED, and (OH, we get 



yAr^ p -jATl j2ir(n-m)Afl/W 



(34) 



Var[H A , m [k] - H A , m [k - 1]] 

= Var^mM - eA,m[k - 1] + N A ^ n [k] - N A: , n [k - 1]] 
= Var[e^ m [fc]] + Var[e A!m [/c - 1]] 

- 2Cov[eA,m[fc] [k-l]}+Yar[N Aim [k]} 

+ Var[7V A , m [fc-l]] 
= 24 - 2E[e A , m [k]e* Am [k - 1]] + 2a 



N 



2a T (l - a) + 2a 



(35) 



The thermal noise components are independent of each other 
and all the other variables, and the fixed part of the channel 
can be viewed as constant, so Vm 7^ n 

r(m — n) 

= Cov[if A ,mM - H A , m [k - l],H A , n [k] - H A , n [k - 1]] 
= Cov[e A ,m[fc] -e Atm [k- l],e AtTl [k] - e A ,„[k - 1]] 
= E[e A , m [k]eX n [k}} + E[e A , m [k - l]e% n [k - 1]] 
- E{e A , m {k}e% n {k - 1]] - E[e A , m [k - l]e* A Jk}} 
24(1 - a)(l - e"T AT ) 



^ g — yAT+j2Tr(n — m)Ar Af 

24(1 - a)(l - e - 2 ^ w ) 

I _ e -2irB c /W+j2TT(n-m)/M 



(36) 



It can be easily proved that H^fc] — H A [k — 1] has zero 
mean and is a Gaussian random variable, since it is the linear 
combination of Gaussian random variables. 

Appendix II 
Proof of Relationship 2 

For the case with spatially independent time variation where 
££,m[fc] and e A . m [k] are independent identically distributed, 
from (fl~|l and © we have 

\K[H E , m [k]-H Atm [k-l]] 

= Vm[e E , m [k] - e A , m [k - 1] + N E , m [k] - N A , m [k - 1]] 
= Var[e E , m [fc]] + Var[e A , m [/c - 1]] 
+ Var[iV A , m [fc]]+Var[iV E , m [fc]] 
= 24 + 24 (37) 
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And Vm 7^ Tl, [22] P. A. Bello and B.D. Nelin, "The effect of frequency selective fading 

on the binary error probability of incoherent and differentially coherent 

Cov[iJg m \k] — Ha m[k — l]j He n \k\ — Ha n\k — 1]] matched filter receivers," IEEE Trans. Commun. Syst., vol. CS-11, pp. 

-r \ \1A U. 11 ' rn 'ri.ni 170-186, June 1963. 

— \^OY[eE,m,[K\ eA,m[K L\,£E,n[ K \ e A,n [K 1JJ [23] M. Abramowitz and I A. Stegun, New York: Handbook of Mathematical 

= EltE \k\(* \k\\ + E\ca \k lie* \k 111 Functions, With Formulas, Graphs, and Mathematical Tables, Courier 

' £, ' A,nl Dover Publications, 1965. 

2(7^(1 - e~ lAr ) [24] S. J. Fortune, D. H. Gay, B. W. Kernighan, O. Landron, M. H. 

= Z —jAT+j2ir{n—m)ATA f = r i m n ) / a ) (38) Wright, and R. A. Valenzuela, "WiSE design of indoor wireless systems: 

e Practical computation and optimization," IEEE Computational Science and 

From © and © we also see that E[K E [k] - H A [k - 1]] = Engineering, vol. 2, pp. 58-68, Mar. 1995. 

T? TT *ti i i i • i [25] A. Tee, "Clarifications on the link budget evaluation," IEEE Document 

He — Ha- The other part is similar to that or Relationship 1. C802 20-05/18 2005 
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